More doubts surface over enforceability of ACMA's blacklist

With the leaking of the supposed Australian Communication & Media Authority's (ACMA) URL “blacklist”, further doubts have been raised over whether such a list, and even Web Filtering itself, can successfully achieve the federal government's goal of protecting Australians from undesirable content like child pornography.

For Mark Newton, network engineer at ISP Internode, the government’s insistence on secrecy of the blacklist was itself proof of the failed concept of blacklisting.

“[Blacklists] absolutely don’t work – not even the federal government believes that and that’s why it wants to keep the list secret,” Newton said. “If blacklists worked then no one would be able to see what’s on them.”

According to Colin Jacobs, vice chair at the Electronic Frontier Foundation (EFF), the ACMA blacklist was totally ineffective for the goal of cracking down on the traffic of child abuse material.

“Firstly, most illegal material is not published on the Web but is traded using other means such as peer-to-peer in secretive communities. Secondly, circumvention of the blacklist will be trivial for anyone who cares to Google for the methods, which of course will include those interested in such material,” Jacobs said. “As things stand, they have no way to know (except a decrease in traffic), and no formal mechanism exists for requesting removal.”

While enforcing ACMA’s blacklist was technically possible, doing so would result in “collateral damage” for Web users.

“DNS poisoning or IP blocking are reasonably straightforward for an ISP to do, but will also block other Web sites and Web pages on the same Web server. For blocking at the individual page level, there are still options, but they cause more problems with speed, cost, privacy and security,” Jacobs said. “That said, any filter will be easy to circumvent, so in that sense enforcement is totally impractical.”

Chris Thomas, principal consultant at CA's Internet security business unit for Asia Pacific and Japan said that from a purely technical point of view ACMA’s blacklist was workable, but in practice unworkable.

“If all Web traffic was routed through a single choke point, and the blacklist was enforced at this point, then yes it is possible,” Thomas said. “To do this on the scale proposed – with the number of independent ISPs in the Australian market – is ambitious at best. A small number of 'underground' providers that do not apply the filtering would undermine the intent of the blacklist.”

Thomas said to be effective, a workable blacklist must also include services like anonymous Web proxies.

While these would provide a way for people to get to sites that would otherwise be blocked by a blacklist, they also provide an important service for people to maintain their privacy.

According to Internode’s Newton, ACMA’s blacklist also fell over due to the notion that it could contain illegal material as this presupposed that the police had not acted to take down the material.

“If it is a question of illegality then you get the police to investigate it and make it stop. I think it’s outrageous that [the blacklist presumes that] illegality on the Internet is fine, we just have to throw a bed sheet over it and pretend that it’s fine,” he said.

Citing a recent Cambridge University study comparing the effectiveness of take down regimes of various disciplines across the world, Newton said child abuse material typically was taken down 150-times slower than online fraud sites.

“Banks on average get fraud sites anywhere in the world taken down with an average response time of six and a half hours,” he said. “Organisations like ACMA take 30 days just to process a complaint. Banks have a profit motive to act quickly, but clearly ACMA, whatever its motive, doesn’t act.”

Internet Industry Association (IIA) chief executive Peter Coroneos said the ACMA blacklist was only effective to the extent that it was still current (a matter for ACMA updates to ensure), and whether the Internet user chose to install and use a Web filter.

Coroneos said ISPs are only bound by IIA codes which required them to offer filters for “optional” use by end-users under the IIA Family Friendly ISP scheme.

“This scheme has been in place for ten years, and its existence has meant that the default provisions under current legislation requiring ISPs to block offshore sites have never triggered,” Coroneos said. “In short, the presence of the IIA codes has meant that mandatory ISP filtering – as required by the 1999 legislation – has never triggered.”

However, this would be different under the federal government's proposed mandatory system where these matters would assume far greater importance, Coroneos said.

“It will be for the government to tell us how it intends to manage the list security and other matters raised in our 2008 feasibility report on this issue. Presumably the government will also tell us how it intends to manage the transparency and accountability questions that many have asked. Suffice to say we brought many of these concerns to the government's attention more than a year ago.”

Internode’s Newton was not optimistic about the potential success of such a mandatory scheme.

“You can’t solve social problems with technology,” he said. “By and large society recognises that.”

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.